Monitoring Application TCP traffic on Mac

My internet provider said my service was degraded due to the large amount of data uploading from my computer. As far as I knew, my computer wasn’t uploading anything but I didn’t know how to prove it.

I decided to try and write a DTrace program to look at it. (I also installed “Little Snitch” which seems pretty cool).

One problem with using DTrace on TCP on a Mac is a lot of the providers and provider information I‘m use to on Solaris isn’t on the Mac. Another problem is that when receiving data, the program shows up as kernel_task instead of the program that the data was mean for. To get around this I did two things. One I recorded which program was using which IP when sending data and I also used some code from a program by Brendan Gregg to track which programs connected on which IPs

So all in all “Little Snitch” seems much better, but it’s pay for package, and DTrace, at least as far as I have been able to use it, is a bit lacking.

I’m sure someone out there could but together a more useful DTrace TCP script for the Mac. Looking forward to any revelations people might have.

I once heard the quipped “you ask for hamburger and complain when I give you steak” when someone complained about not wanting to learn DTrace and just wanting to use a standard tool. I’d say instead of steak for hamburger it’s more like someone gives you a whole side of beef hanging on a hook when someone is just asking for a hamburger, or maybe like giving you the whole cattle when just wanting a hamburger. It’s often a lot of work to get to the hamburger, or steak, from there, though with some insight, especially into the kernel code, one can do amazing things.